Share this story

On September 21, a dump of an e-mail account belonging to a White House contractor was posted to the "hacktivist" website DCleaks.com. This is the same site that already revealed e-mails from former Secretary of State Colin Powell, a Navy captain leading a weapons procurement program, and a public relations person who has done advance work for Hillary Clinton. The latest victim did advance work for travel by First Lady Michelle Obama and Vice President Joe Biden. Attributing the leak will be difficult because, as with previous "dumps" published on DCleaks, the compromised account's password information was widely available on the Internet from a previous data breach.

An unnamed US intelligence official was quoted by NBC News as calling the leak of contractor Ian Mellul's e-mails "the most damaging compromise of the security of the president of the United States that I've seen in decades"—one caused by the use of an outside personal e-mail account for government business. The e-mails included full scans Mellul had forwarded to himself from a White House e-mail account of passports, including Michelle Obama's. Mellul likely forwarded the e-mails to his Gmail account because he couldn't access White House mail offsite without a secure device.

Government sources have described DCleaks.com as being connected to Russian intelligence organizations. But just about anyone could have gotten into Ian Mellul's e-mail if he was using the same password for his Gmail account that was exposed in a 2013 breach of Adobe user data—just as was Navy Captain Carl Pistole's. The accounts of Powell and of Sarah Hamilton were both leaked as part of a 2012 breach of Dropbox's user data, according to data from HaveIBeenPwned.

The earlier exposure of Mellul's account in the Adobe breach, combined with the rest of the accounts attacked and DCleaks.com's overall digital footprint, makes the attribution of the e-mail exposures much more difficult. The DCleaks domain was registered through an Australian domain privacy service. The site itself is hosted by a company in Malaysia and runs on WordPress using a commercial theme called "Stockholm," from the Australian design firm Envato—a fairly out-of-the-box site with its MySQL server ports left open to the Internet.

Anyone with the time or money to sift through breached user data for targets connected to the US government could be behind the exposure of the e-mails. And while DCleaks has particularly targeted Clinton, her husband former President Bill Clinton, the Clinton Foundation, and George Soros' Open Society Foundation in past document dumps—leading to suspicions that someone working on behalf of the Russian government was behind them—plenty of other, less sophisticated "cyber actors" out there might want to dump trash on Obama and Clinton. As former US Assistant Attorney General Jack Goldsmith said in a panel on the Democratic National Committee breach earlier this week, "The number of actors who could do this are many, and our ability to defend against it is uncertain."

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat